Archive for February 2016

IBM Plans Resilient Acquisition

IBM has announced plans to acquire Resilient Systems to add incident response capabilities to its services.

The Resilient incident response platform automates and orchestrates the processes needed when dealing with cyber incidents – from breaches to lost devices. This will enables users to respond and mitigate cyber incidents more quickly while helping minimize their exposure. Financial terms were not disclosed. The transaction is expected to close later this year, subject to any required regulatory reviews.

Upon acquisition of Resilient Systems, IBM Security will offer an integrated end-to-end security operation and incident response platform offering. The platform will bring together security analytics, forensics and vulnerability management along with incident response into a coordinated approach for enterprise threat protection, detection and response.

John Bruce, Resilient Systems Co-Founder and CEO, said: “By combining, the market now has access to the leading prevention, detection and response technologies available in the same portfolio – the security trifecta.”

IBM has also launched new X-Force Incident Response Services, further expanding its capabilities to help clients plan for, manage and respond to cyber-attacks, utilising the knowledge of 3,000 consultants and security researchers globally. New services include a remote incident response capability to help clients map how a breach occurred and take action to shut it down.

IBM X-Force security experts will help clients develop response strategies, including Computer Incident Response Team playbooks, and a means to more effectively discover, track, respond to and report on security incidents. These new capabilities will be further enhanced through the planned acquisition of Resilient Systems.

The new services will also include a new remote incident response service, which actively hunts for threats and allows IBM security experts to remotely manage active attacks via the cloud. Part of this capability will be enhanced via technology from Carbon Black, which will enable IBM security analysts to conduct security forensics on compromised endpoint devices, determine where a breach first occurred, map it across other devices, contain it quickly and take action to shut it down.

“By adding Resilient Systems’ technology and expertise, IBM will have an industry-leading range of capabilities to help clients respond to cyber breaches, across consulting, services, and products,” said Marc van Zadelhoff, General Manager, IBM Security.

“With our intent to acquire Resilient Systems, and our other announcements today, we are doubling down on the incident response market. Cybersecurity needs to function like an immune system, both in preventing breaches, but also in quickly eradicating those that do occur.”

In an email to Infosecurity, Scott Crawford, research director at 451 Research, said: “IBM had incident response services before, but it was part of the overall Professional Security Services organization. This announcement appears to be a more formal, front-and-center positioning of incident response services to be more directly competitive with FireEye-Mandiant et al, which had also recently acquired security automation capabilities with Invotas.

“Resilient is more specifically focused on incident response processes, however, so I would see both IBM announcements as being more directly competitive with FireEye-Mandiant.”

56% of Companies Ignore Encryption on the Cloud

A new report by Thales e-Security and the Ponemon Institute has revealed the use of encryption within organizations is almost three-times greater than it was a decade ago, with 37% of the 5000 business and IT managers polled saying they have an encryption strategy in place across their entire enterprise. Despite this, the ‘2016 Global Encryption Trends Study’ found a significant amount of companies still have a lot of work to do regarding consistently applied encryption, especially when it comes to the cloud.

Peter Galvin, Vice President of strategy at Thales e-Security, said:

“As businesses increasingly turn to cloud services, we’re seeing a rapid rise in sensitive or confidential data being transferred to the cloud and yet only a third of respondents had an overall, consistently applied encryption strategy. Encryption is now widely accepted as best-practice for protecting data, and a good encryption strategy depends on well-implemented encryption and proper key management.”

More than half (57%) of respondents said that determining where their sensitive data resides is the biggest hurdle they face in deploying encryption. A company not knowing where/what its sensitive data is becomes a significant issue when you consider the security risks that come with an ever-increasing reliance on cloud-based services, which create more connectivity and endpoint devices. The danger here is that they also increase a company’s attack surface, effectively removing their ‘perimeter’ and leaving their network more vulnerable to attack from cyber-hackers.

“There is no perimeter,” Chester Wisniewski, Senior Security Advisor at Sophos told Infosecurity. “Today's most successful defenses depend upon data classification and acting on that classification. What data is sensitive to your company? Protect that first.”

It is concerning, then, to read that 56% of those polled are transferring sensitive or confidential data to the cloud regardless of whether or not it is encrypted or made unreadable with some other data masking, a figure expected to be as high as 84% from 2018 onwards.

David Kennerley, Senior Manager for threat research at Webroot said whilst large companies are discussing the importance of encryption on a daily basis and many unsecure protocols are being made redundant, the fact that such a high percentage admitted to transferring data without checking if it is encrypted is very surprising.

“Whether by choice or by accident, it is simply incredible to believe any organization would put its data at risk by transferring it insecurely when so many secure transfer methods and technologies exist. There is no excuse on this one.”

IRS Security Breach: Over 700,000 Now Affected

The United States Internal Revenue Service (IRS) has been forced to admit that a scam targeting taxpayers via its “Get Transcript” application has affected far more people that at first thought – nearly 400,000 more.

In a lengthy update on Friday, the organization claimed that a review of the system following the security incident in May last year had revealed that transcript details for 390,000 additional taxpayers were probably compromised.

That brings the total figure to over 700,000 – far more than the 100,000 initially thought.

Get Transcript was launched in 2014 as an easy way for taxpayers to view, download or have mailed to them their tax transcript.

However, fraudsters soon got in on the act, using stolen Social Security and other data to pose as genuine in order to get filings and tax returns for previous years reissued to them.

The information contained in these was then used to file fraudulent returns early and claim refunds back from the IRS on behalf of their victims.

The IRS said it will be notifying all those affected from today, as well as offering free identity theft protection services and Identity Protection PINs.

“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” said IRS commissioner, John Koskinen, in a statement.

“We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed. We are moving quickly to help these taxpayers.”

The organization also claimed it is sharing information about this incident with the states as part of the Security Summit initiative – a partnership between itself, state revenue departments and the tax industry.

The nine-month long investigation into the security incident followed the discovery that scammers were gaming the system back in May 2015.

It was initially thought that 114,000 taxpayers were affected, but that number soon rose by 220,000 in August last year.

It added that using VPNs and HTTPS sites will also improve your ability to stay hidden online.

Downloads of new software can trigger bulk collection of user data, so consumers should be careful to untick any boxes that could lead to extra toolbars, plugins and extensions being installed.

“With tracking data, it’s possible for advertisers, or even malicious third parties, to peer into the life of a person – from where they go, to the sites they browse,” explained Kaspersky Lab principal security researcher, David Emm.

“However, the crux of the problem is that many users simply aren’t cyber-savvy enough when it comes to protecting themselves from online tracking. They may be concerned, but do nothing about it. Even worse, they may not understand that they are putting their privacy at risk at all.”

This might be about to change in Europe, however, with the impending launch of the General Data Protection Regulation (GDPR).

The GDPR will look to impose fines of up to 4% of global annual turnover for firms failing to comply with its strict new rules on data protection.

Part of the new law will also force firms to design products and services with user privacy in mind from the very start.

Snapchat Suckered by Payroll Phishing Attack

Messaging service Snapchat has admitted that sensitive financial information about some of its employees was phished after a member of staff fell for an email scam.

In a blog post on Sunday, the firm claimed that the phishing attack managed to con one of its employees into revealing payroll information about their colleagues.

“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information,” it revealed.

“Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.”

Snapchat claims it responded swiftly and aggressively to the incident, notifying which employees were affected and offering them identity theft insurance and monitoring for two years.

“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” the firm admitted.

“To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”

“HR and payroll are flooded with emails containing all types of attachments and they are encouraged and even obliged to open them. IT security teams must implement countermeasures against targeted attacks against this channel,” he added.

“At the end of the day, all businesses have a duty of care to ensure that they have robust security systems in place to protect their own and their customers’ data. If they fail to do so, they are rolling the dice when it comes to their reputation and ultimately long-term survival.”

BSidesSF: Government and FBI Still Do Not Understand Cyber-Space

Government and the FBI has a bunch of “frustrated hall monitors” who still do not understand cybersecurity.

Speaking in the opening keynote at Security B-Sides San Francisco, John Perry Barlow, who wrote the Declaration of Independence of Cyber Space in 1996, and is a founder of the Electronic Frontier Foundation (EFF), said that the FBI using terrorists as a wedge to drive into security of the nation.

He said: “The current flailing of the FBI against Apple is a hallmark of how true it is, and the FBI is trying to get Apple to do something it cannot and the FBI is too stupid to realise it cannot. This is how far we have come since meeting with FBI.”

Barlow cited examples of meetings with the FBI back in 1989 when phone freaking was discovered, “which consisted of early adolescents trying to create the internet by sneaking around phone networks”.

Barlow said he called out the group of “hacker kids” and said if someone took away their modem and replaced it with a skateboard, it wouldn’t matter. “They didn’t like that, and I heard from ten of them in New York City and their voices had not changed, but they were the natives of the future, the pioneers of something and I became the troop leader to the legion of doom,” he said. However Barlow said that despite this funny position, the Secret Service swooped on them.

He said that one called “Acid Phreak” came home and found the FBI had confiscated all his Metallica tapes and anything electronic in his home, and Barlow said an FBI agent wanted to discuss the issue in person, and he spent an hour and a half explaining why it was unlikely to be him who was responsible.

“Cyber-space had been invaded by an initial party of not very bright, extremely well-armed and anti-clued people, and our rights were in danger,” he said. “I also recognised this, and started the EFF, and its objective was to defend the first and fourth amendments, and the first applied to electronically transferred material.

Barlow went on to say that the FBI is not the enemy, but the enemy is their incentives – driven by a populace's irrational fears. He called on the audience and industry to put our resources where there is a problem, and he said that in government “there is a bunch of frustrated hall monitors and they are fighting for cultural dominance in a world going on since 1966”.

He concluded by saying that a patriot in terms of cyber-space is someone who believes in a vision that everybody everywhere has the right to know, and now it is possible to convey and create a communications network that if you are curious about something, no matter how odd, you can find out everything known by humans on that subject and then you have a global ecosystem of mind that is capable of thinking unbelievable thoughts.

“Your responsibility is to shoot for that kind of outcome even as you try to figure out ways to protect abuse of free speech from dominating conversation. You define the end and what get through.”

Undetectable Angler EK Targets Extendoffice

The popular Extendoffice website has been found to be delivering the Angler exploit kit to unsuspecting visitors.

Extendoffice sells add-ins to Microsoft Office, and ranks in Alexa's top 5,500 websites in the US, and 10,000 globally, meaning that it likely has more than 1 million visitors per month. Trustwave SpiderLab uncovered the attackers using the site last week, redirecting its visitors to the Angler EK which, upon successful exploitation, dropped the TeslaCrypt ransomware on the victim machine. The site runs on Joomla, which has known vulnerabilities that the perpetrators likely exploited, Trustwave researchers said.

Disturbingly, the site was cleaned, but the EK has once again attached itself to it, renewing its efforts. And here’s a probable reason: The worst thing about this incident is that a quick URL scan on VirusTotal shows that the attack has gone largely unnoticed, with a near-non-existent detection rate. According to VirusTotal, only one URL (Trustwave’s scanning engine) is labeling the website at malicious, leaving many users still exposed to the attack.

“Clearly, the threat of exploit kits is not going away any time soon,” a Trustwave spokesperson said via email. “In fact, it's only becoming more of an issue that can result in huge monetary loss for organizations. According to Trustwave's 2015 Global Security Report, cyber criminals receive a 1,425% return on their investment for exploit kit and ransomware schemes.”

Exploit kits have evolved with alarming speed, heightened stealth and novel shape-shifting abilities, according to the latest Dell Security Report. Last year’s most active kits were Angler, Nuclear, Magnitude and Rig, and the overwhelming number of exploit kit options gave attackers a steady stream of opportunities to target the latest zero-day vulnerabilities, including those appearing in Adobe Flash, Adobe Reader and Microsoft Silverlight.

Mitigation begins with patching, the researchers noted.

“Unfortunately, as end users we have no control over the safety measures taken by websites to secure our visit to them, but by keeping our software up-to-date we can make sure that our attack surface remains minimal,” the report noted. “For enterprises, it is important to have security products in place that are able to deal with these threats and protect corporate users.”

Ransomware Strikes a Group of German Hospitals

A group of German hospitals have become the latest victims of a ransomware attack—a state of affairs that has knocked them offline and reduced doctors to swapping handwritten notes instead of emails.

The first victim was Lukas Hospital in Germany's western city of Neuss—staffers began to be plagued by pop-up windows, and then noticed the systems getting slower and slower. Eventually, they proactively shut down their systems entirely, concerned about the safety of patient data.

"We then pulled the plug on everything," spokesperson Dr. Andreas Kremer told DW. "Computers, servers, even the email server, and we went offline."

It was soon clear that it was a ransomware attack, he added: “Our IT department quickly realized that we caught malware that encrypts data. So if the X-ray system wants to access system data, it failed to find it because it's been encrypted, so it displays an error message.”

Just two days after the Lukas Hospital was hacked, Klinikum Arnsberg Hospital in the German state of North Rhine-Westphalia fell victim. The vector was a social engineering ploy that sent a malicious attachment in an email.

Klinikum Arnsberg spokesperson Richard Bornkeßel said that staffers detected the virus on one of the 200 servers.

"Fortunately, it was only one server that was affected,” he said. “The virus had started to encrypt files,” so the IT department switched off the entire system to avoid further infection.

And, at least one other hospital in the same state also shut down its systems to avoid a potential hack.

In Klinikum Arnsberg’s case, it was able to restore its files from a backup fairly easily since it had only the one server to deal with. Lukas Hospital was not so lucky. Under the advice of the State Criminal Investigation Office (LKA), the hospital's security experts have developed a special software to cleanse the infected system and scan the more than 100 servers and some 900 devices connected to it—a task that will take the department until early summer to complete.

Pen and paper have for now supplanted email, and fax machines are being used to exchange patients' reports and X-rays. But there are other ramifications.

"High-risk surgeries were pushed to later dates due to safety reasons, but 80-85% of all operations took place as planned," Kremer said.

Ransom demands for large organizations can reach into the tens of thousands of dollars, making this a key issue for businesses. It’s also not enough to be prepared for the existing set of threats.

“Malware authors regularly change their tactics to try and stay one step ahead of their target victims,” said Carl Leonard, principal security analyst at Forcepoint, in an email. “New strains of encrypting ransomware are now showing up every week, so businesses have to remain vigilant and ensure they supplement strong security defenses with security best practices. It is vital to back up and archive critical data, only open email attachments from trusted or verified senders and disable Microsoft Office macros by default, only to be enabled when absolutely necessary.”

87% of Open-Source Vulns Are XSS and SQL Injection

Cross-site scripting vulnerabilities still top the open-source vulnerability heap, new research has revealed.

Cross-site scripting, also known as XSS, allows the attacker to inject malicious client-side scripts into a website, which are later executed by the victims while browsing the website. There are different cross-site scripting variants, all of which can be used to craft different types of attacks.

Based on the scanning of almost 400 open source web applications by the Netsparker security scanning engine, XSS accounts for 67% of all the identified vulnerabilities. SQL injection vulnerabilities were a distant second, amounting to 20% of the total. The remaining 13% were made up of remote and local file inclusions, CSRF, remote command execution, command injection, open redirection, HTTP header injection (web server software issue) and frame injection.

“Cross-site scripting and SQL injection vulnerabilities have been included in the OWASP Top 10 since the project started, mainly because they are very easy to find and also very easy to exploit,” the researchers noted. “And yet, even after years of raising awareness about these vulnerabilities, the majority of the web applications we use are vulnerable to these types of vulnerabilities.”

The report added that while, when dealing with databases, parameterized queries make it very easy to make all the common create, read, update and delete (CRUD) operations safe against SQL injection attacks, XSS is a different animal—and it will continue to take the lion’s share of the vulns.

“Today’s complex web applications are not making the developers’ job any easier,” the report noted. “Developers have to understand all the different contexts of the XSS attacks to write code that is not susceptible to XSS vulnerabilities. Unless they do understand it and write or use a library that can protect the application against XSS attacks in all output contexts (HTML, attribute, JavaScript, client-side template etc.), we will keep on seeing the same trend; expect less SQL Injection and more cross-site scripting vulnerabilities in web applications.”

Netsparker argues that, contrary to popular belief, XSS vulnerabilities can be as dangerous as SQL injection. Conventional wisdom says that because the victim is the visitor of the website rather than the actual web application, the web server or the data stored in the database, the damage is contained. In other words, the hacker would only gain access to the specific user’s profile, private messages and forum posts, rather than tamper with the web application itself to steal whole swathes of sensitive data, such as customer details and credit card numbers.

But what if the victim of the XSS attack is the forums administrator? An attacker can then work his or her way up to gain root access to main shell servers.

Cloud Apps Not Ready for GDPR

Enterprises rely on the cloud now more than ever, with a report by Netskope revealing an average of 769 cloud apps currently being used by organizations, an increase of 26.5% since their last study.

Despite this, as many as 88% of apps are not enterprise-ready – lacking important functionality such as security, service-level agreement and vulnerability remediation.

Netskope say organizations currently have a lot of work to do when it comes to monitoring and mitigating cloud-based threats.

Sanjay Beri, co-founder and CEO of Netskope said:

"Now more than ever, it's imperative that organizations have complete visibility into and real-time actionable control over their cloud app usage to better monitor and understand trends and vulnerabilities. It's only with this knowledge that IT can begin to protect against threats lurking in cloud apps, such as malware."

Whilst the cloud access security broker found a very low proportion (4.1%) of companies were using ‘sanctioned’ apps that contained malware, when you consider that sanctioned apps normally make up less than 5% of an organization’s cloud app footprint, malware in the cloud could be a far bigger issue than we realize.

Sync and share mechanisms, used by the majority of cloud storage apps, play a significant role in the quick spreading of malware throughout a company, creating a ‘fan-out’ effect.

If the files of a single user become infected, and those files are also in a cloud sharing folder, when they are automatically synced the versions of the files in the cloud also became encrypted. From there, other users who sync the same folder to their devices will have their files encrypted too. This shows that hackers can take advantage of one of the cloud’s most useful capabilities, turning it into a company’s worst nightmare.

With the upcoming General Data Protection Regulation (GDPR) having the power to impose fines of up to 4% of global turnover (or €20 million, whichever is higher) for companies who do not meet its privacy standards, security is now of the upmost importance for all organizations who do business in Europe.

This is especially true for cloud-consuming companies who are likely to face an uphill struggle because the cloud uses so many connected endpoints, and so securing them is a difficult task. The report, along with further research by Netskope, found companies are clearly feeling the heat from this, with only one in five confident they will comply with the GDPR.

Speaking to Infosecurity, David Kennerley, Senior Manager for threat research at Webroot said:

“As with any technology, security should be at the forefront of any decision. Without doubt, moving to any cloud-based service introduces another attack vector organizations need to defend against.

“IT departments need to be taking a lead role in how cloud computing is utilized, managed and most importantly secured. With the reduction in support for the more traditional in-house services, it’s essential new cloud offerings receive at least the equivalent amount of support and management. The technology is only part of any solution, it’s the planning, implementation, the controls and monitoring that make any solution reach its full potential and reward the business accordingly.”

Kennerley also explained that failing to implement a strong cloud security infrastructure can be extremely damaging for a company, and not just because of GDPR fines.

“Public confidence has been severely knocked by the recent spate of high-profile attacks, and businesses need to start taking a more vocal stance on their cybersecurity,” he continued.

“The most important thing to remember is that it’s your data and you are responsible for securing it.”